remcos | 0b7faafb8da0c827bd09a35795d30bb4a703e6ad53c5ca99cfdd1cbfd63dd55f | Triage

Sharing

General

Target

documents.exe
Size

488KB
Sample

250113-n8k2bs1nfw
MD5

bf94dfb3c600fea20a0eb3b6f2ce410f
SHA1

9be4b304813ff777c1f5aa753dabe2b4aeb07391
SHA256

0b7faafb8da0c827bd09a35795d30bb4a703e6ad53c5ca99cfdd1cbfd63dd55f
SHA512

00c72914e7344bb25b20296cb215bd3c53246eb4b55ca176ffb2a9226444d0ba992699337c76815e6a127738a8d616e466f06e2b3808e73397dc54eddf60891a
SSDEEP

6144:IuaNeIQv1dV4sXmFr7LAFIzT/72clnlePVTn0L9DEBDYTU6qynIHtc+KC:3SDQ3usXmFr70FGxlkn0LJYDiU6qyat

Score

10^/10

remcos yavakosa discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Yavakosa

C2

198.23.227.212:32583

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
yavascript.exe
copy_folder
xenor
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DCHPS3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  documents.exe
- Size
  
  488KB
- MD5
  
  bf94dfb3c600fea20a0eb3b6f2ce410f
- SHA1
  
  9be4b304813ff777c1f5aa753dabe2b4aeb07391
- SHA256
  
  0b7faafb8da0c827bd09a35795d30bb4a703e6ad53c5ca99cfdd1cbfd63dd55f
- SHA512
  
  00c72914e7344bb25b20296cb215bd3c53246eb4b55ca176ffb2a9226444d0ba992699337c76815e6a127738a8d616e466f06e2b3808e73397dc54eddf60891a
- SSDEEP
  
  6144:IuaNeIQv1dV4sXmFr7LAFIzT/72clnlePVTn0L9DEBDYTU6qynIHtc+KC:3SDQ3usXmFr70FGxlkn0LJYDiU6qyat
Score

10^/10

remcos yavakosa discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosyavakosadiscoverypersistencerat

behavioral2

remcosyavakosadiscoverypersistencerat